Social Security Number

Information available on the Internet can in certain cases be used to predict individual social-security numbers, posing a risk of identity theft that policy-makers and individuals should address. This finding, an unexpected consequence of public information in modern economies.

Hundreds of Users vs. Millions of Users

Moving applications from the hands of hundreds of users to millions can be an exciting way to expand markets and save resources at the same time. For instance, online banking has greatly automated many banking processes and provided a new service to customers, but it has also exposed banks to new threats. Let's look at the following example.

Enumeration Attack

This bank uses the web to allow customers to view their account detail and pay bills online. They use the Social Security number for username and a four-digit ATM PIN for a secret password.

This kind of protection against password enumeration works well for client-server applications. On the web, however, an attack can be created where a hacker could write a script that would use one Social Security number after another, and just try one pin for each Social Security number.

If a hacker uses Social Security numbers of people living in the bank's area (and a common password like "123456" or "PASSWORD") the script will be able to get at least one account in a matter of hours; in a matter of days the hacker will get accounts of all of the bank's customers.